PDA

View Full Version : New Scanning Going On .. And SSH Scanning is now looking at more names than test etc

ladylinux
08-18-04, 21:15
Hello,

More distributed Scans

We received more logs from what looks like a distribuited scan for vulnerable scripts.
You can find an excerpt bellow:

[Mon Aug 16 07:05:40 2004] [error] [client 200.48.218.178] script not found or unable to stat: /yyyyyy/xxxxx/public_html/mail.cgi
[Mon Aug 16 07:05:39 2004] [error] [client 213.128.225.93] script not found or unable to stat: /yyyyyy/xxxxx/public_html/cgi-bin/FormMail.pl
[Mon Aug 16 07:05:34 2004] [error] [client 65.112.194.26] script not found or unable to stat: /yyyyyy/xxxxx/public_html/cgi-bin/formmail.cgi
[Mon Aug 16 07:05:23 2004] [error] [client 194.224.199.205] script not found or unable to stat: /yyyyyy/xxxxx/public_html/cgi-bin/mailform.pl
[Mon Aug 16 07:05:20 2004] [error] [client 216.145.226.35] script not found or unable to stat: /yyyyyy/xxxxx/public_html/cgi-bin/contact.cgi
[Mon Aug 16 07:05:19 2004] [error] [client 218.45.229.101] script not found or unable to stat: /yyyyyy/xxxxx/public_html/cgi-bin/formmail.pl

This is from Sans .. and now its showing up in my Honeyd pots ..

Question .. Has PSOFT finally gotten rid of Matts Formmail .. ?? I have replaced mine with NMS .. But I looked at the last few change logs and see zilch ...

Number two is now that widespread ssh scans are now looking at

admin
operator
root
toor

among others ...

People .. Use Dynamics Guide To keep that SSH safe ... ASAP!

Lady Linux :)
dynamicnet
08-19-04, 06:22
Greetings:

Thank you Lady Linux. You are an asset to Positive Software and this forum.

http://isc.sans.org/diary.php?date=2004-08-18 for those interested in the direct link.

Also see http://isc.sans.org/diary.php?date=2004-07-28 and http://isc.sans.org/diary.php?date=2004-07-23

Thank you.
roj
08-19-04, 06:59
I see that you already downloaded, installed and use Snort from http://www.root0.net. :D
I hope it is usefull...
alex042
08-19-04, 07:02
This public_html path shouldn't work on hsphere servers so I don't think it will be an issue like with cpanel servers or some others that might use that directory structure. I guess the hackers figured this path was more common than those hsphere uses and they probably are going to the easy targets.
dynamicnet
08-19-04, 07:46
Greetings:

When vulnerable formmail scanning takes place, it is completely irrelevant as to the DOCUMENT_ROOT variable.

Whether it is public_html or the hsphere home directory does not matter since the scanner is relying on the Web server to do a lot of its work.

This means ALL servers are a target, not just those that have a particular path.

What's going on here is a demonstration of the need for multiple layers of security.

Thank you.
Cheetah
08-19-04, 09:37
We have also been receiving some scans but ours is for

Active System Attack Alerts
=-=-=-=-=-=-=-=-=-=-=-=-=-=
Aug 18 19:13:07 web snort: [1:2307:2] WEB-PHP PayPal Storefront arbitrary command execution attempt [Classification: Web Application Attack] [Priority: 1]: {TCP} 213.78.74.184:3387 -> 65.110.51.11:80
Aug 18 19:13:17 web snort: [1:2307:2] WEB-PHP PayPal Storefront arbitrary command execution attempt [Classification: Web Application Attack] [Priority: 1]: {TCP} 213.78.74.184:3387 -> 65.110.51.11:80


What should we do to block these scans? or is there anything to do other than protect ssh
roj
08-19-04, 11:28
We have also been receiving some scans but ours is for

Active System Attack Alerts
=-=-=-=-=-=-=-=-=-=-=-=-=-=
Aug 18 19:13:07 web snort: [1:2307:2] WEB-PHP PayPal Storefront arbitrary command execution attempt [Classification: Web Application Attack] [Priority: 1]: {TCP} 213.78.74.184:3387 -> 65.110.51.11:80
Aug 18 19:13:17 web snort: [1:2307:2] WEB-PHP PayPal Storefront arbitrary command execution attempt [Classification: Web Application Attack] [Priority: 1]: {TCP} 213.78.74.184:3387 -> 65.110.51.11:80


What should we do to block these scans? or is there anything to do other than protect ssh

If you have Snort with Snortsam patch from root0.net you can use /etc/snort/iptsamconf script:
========================
# cd /etc/snort
# ./iptsamconf -t 60 -s 2307
FILE: /etc/snort/rules/web-php.rules

RULE:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PayPal Storefront remote file include attemtp"; flow:to_server,established; content:"do=ext"; content:"page="; pcre:"/page=(http|https|ftp)/i"; reference:bugtraq,8791; reference:nessus,11873; classtype:web-application-attack; sid:2307; rev:5;)

Enable function...

NEW RULE:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PayPal Storefront remote file include attemtp"; flow:to_server,established; content:"do=ext"; content:"page="; pcre:"/page=(http|https|ftp)/i"; reference:bugtraq,8791; reference:nessus,11873; classtype:web-application-attack; sid:2307; rev:5; fwsam: src, 60 minutes;)

#
#
====================
It will block scaner's IPs for 60 minutes via iptables...

Where ( ./iptsamconf -t 60 -s 2307 )
-t 60 ---> 60 minutes
-s 2307 ---> Snort rule SID 2307
ladylinux
08-19-04, 12:02
I see that you already downloaded, installed and use Snort from http://www.root0.net.

Oh yes on one server .. And a seperate honeyd server on another .. amazing what a few extra public IP's and a good switch can do to help you see whats coming ..

Lady Linux